Module 4 Planning for Group Policy

Module Overview Planning Group Policy Application Planning Group Policy Processing Planning the Management of Group Policy Objects Planning the Management of Client Computers

Lesson 1: Planning Group Policy Application Demonstration: Reviewing and Modifying Group Policy Settings Considerations for Group Policy Application Group Policy Application Exceptions New Group Policy Features in Windows Server 2008

Demonstration: Reviewing and Modifying Group Policy Settings In this demonstration, you see how to: Review and modify Group Policy settings

Considerations for Group Policy Application Considerations Computer settings are processed when the computer starts User settings are processed when a user logs on Speed up processing by disabling unnecessary parts of a GPO GPOs are cached and updated at timed intervals

Group Policy Application Exceptions The Group Policy application exceptions are: Slow link processing Cached credentials Remote Access connections Moved computer or user objects

New Group Policy Features in Windows Server 2008 The Group Policy features are: New policies Power management settings Blocking device installation Firewall and IPSec settings Internet Explorer settings Location-based printing Delegation of printer driver installation ADMX templates Network Location Awareness

Lesson 2: Planning Group Policy Processing Considerations for Active Directory Structure Considerations for Using Filtering Considerations for Modifying Inheritance Considerations for Using Loopback Processing Demonstration: Modifying Group Policy Processing

Considerations for Active Directory Structure Site Domain OU GPO2 GPO3 GPO4 GPO5 GPO1 Local policy

Considerations for Using Filtering Filtering is applied to a GPO and not links Security Filtering: WMI Filtering Controls the application of GPOs based on security groups Can simplify OU planning Controls the application of GPOs based on computer characteristics Can be used to control software distribution

Considerations for Modifying Inheritance Considerations Blocking inheritance is not selective, all GPOs are blocked Use enforcement to enforce organization-wide standards You cannot enforce a filtered GPO

Considerations for Using Loopback Processing Considerations Loopback processing is for special use computers Use merge mode to apply additional restrictions Use replace mode to apply the same settings to all users To provide less restrictive settings, use replace mode Use loopback processing to secure Terminal Servers

Demonstration: Modifying Group Policy Processing In this demonstration, you will see how to: Modify Group Policy processing

Lesson 3: Planning the Management of Group Policy Objects Considerations for Administering Group Policy Objects What Are Starter GPOs? Considerations for Reusing or Copying GPOs Considerations for Backing Up and Restoring GPOs Considerations for Delegating Management of GPOs Discussion: Managing Group Policy

Considerations for Administering Group Policy Objects Considerations GPMC can be installed on Windows Vista SP1 A GPO is stored in Active Directory and SYSVOL New GPOs must be replicated to all domain controllers ADMX templates reduce GPO size Create a central store for ADMX templates ADMX templates are easier to extend than ADM templates ADMX templates can be used only by Windows Server 2008 and Windows Vista Migrate customized ADM templates to ADMX templates by using the ADMX migrator Use Group Policy tools for troubleshooting and planning

What Are Starter GPOs? Starter GPOs are GPO templates that contain administrative templates settings You can use starter GPOs: To standardize GPO creation To move GPOs easily between domains To distribute customized settings to partners

Considerations for Reusing or Copying GPOs A single GPO linked to multiple locations allows for centralized management You should carefully control the permission on a GPO that is linked to multiple locations It is difficult to synchronize settings between multiple GPOs For common settings, use a single GPO linked to multiple locations For unique settings, use an individual GPO for an OU

Considerations for Backing Up and Restoring GPOs System state backups of a domain controller are difficult to recover GPOs from Backup of GPO with GPMC before making changes GPO backups can be scheduled with scripts Only Read permissions are required to back up a GPO Restoring from backup includes filtering information Importing settings from backup does not include filtering information GPO backups can contain multiple versions

Considerations for Delegating Management of GPOs You can use GPMC to delegate permissions for managing GPOs Members of Domain Admins and Group Policy Creator Owners group can create GPOs Members of Domain Admins, Enterprise Admins, and domain local Administrators can link GPOs in a domain Members of Domain Admins and Enterprise Admins can edit GPOs

Discussion: Managing Group Policy Who is responsible for managing Group Policy in your organization? Does your organization back up GPOs? Does your organization have a need to standardize GPOs by using starter policies?

Lesson 4: Planning the Management of Client Computers Why Manage Client Computers? Methods for Managing Client Computers Considerations for Using Group Policy Preferences Demonstration: Using Group Policy Preferences Considerations for Deploying Software by Using Group Policy Considerations for Using Scripts Considerations for Using Folder Redirection

Why Manage Client Computers? Managing client computers saves time and money for the organization by: Distributing applications Enforcing security settings Enforcing application settings Standardizing the user environment

Methods for Managing Client Computers The methods for managing client computers are: Group Policy settings Group Policy preferences Scripts Windows Server Update Services System Center Configuration Manager

Considerations for Using Group Policy Preferences You can use both Group Policy settings and Group Policy preferences Preference settings are not enforced and can be modified by the user Application of Group Policy preferences is supported for Windows XP with SP2, Windows Vista, Windows Server 2003 with SP1, and Windows Server 2008 Use the Data Sources node to easily add or modify ODBC data sources for applications Use the Drive Maps node as an alternative to mapping drive letters by using a logon script Use the Start Menu and Shortcuts node to standardize the ways of starting applications Use the Internet Settings node to standardize the configuration of Internet Explorer Use targeting to determine which users and computers a preference item will apply to

Demonstration: Using Group Policy Preferences In this demonstration, you see how to: Use Group Policy preferences

Considerations for Deploying Software by Using Group Policy Assign an application to create a Start Menu shortcut Assign an application to a computer to install before use Assign an application to a user or publish it to limit disk utilization Enable document activation to automatically install the application required to open a document Use categories to organize published applications Use transform files to customize installation Use mandatory upgrades to keep application versions consistent Use forced removal to remove applications from computers

Considerations for Using Scripts Scripts can be written in any scripting language supported by the client computer Considerations: Logon scripts are commonly used for mapping drive letters Use Group Policy to implement logon scripts Startup and shutdown scripts can be used for computer- specific tasks Group Policy scripts should be stored on SYSVOL

Considerations for Using Folder Redirection My Documents is not the only folder that can be redirected Folder redirection simplifies backup of user data Folder redirection reduces the size of user profiles Redirect My Documents to a home folder for private storage Redirect My Documents to a departmental share for shared storage Allow folder permissions to be configured automatically Use offline files with folder redirection

Lab: Planning for Group Policy Exercise 1: Creating a Group Policy Plan Exercise 2: Implementing Group Policy Estimated time: 60 minutes Logon information Virtual machine 6430B-SEA-DC1 User name Adatum\Administrator Password Pa$$w0rd

Lab Scenario Adatum has never implemented Group Policy other than for basic password configuration in the domain using the default GPOs. After attending a recent seminar, the IT manager wants to use Group Policy more effectively for the organization. You have been tasked with creating a plan for implementing Group Policy.

Module Review and Takeaways Review Questions